TLPT Under DORA: Why Threat-Led Penetration Testing Is Not Just Another Pentest

Under Articles 26 and 27 of DORA, identified financial entities must carry out Threat-Led Penetration Testing (TLPT) at least every three years. This is not a standard pentest — it is a full-scale, intelligence-driven red team exercise against your live production systems.

What Makes TLPT Different?

The fundamental difference between TLPT and traditional penetration testing is scope and realism:

• Standard pentest: Tests specific systems or applications in a controlled environment
• TLPT: Simulates real cyberattacks against the entire organisation, guided by threat intelligence, on live production systems

TLPT follows the TIBER-EU framework, which the European Central Bank updated in November 2025 to align with DORA’s regulatory technical standards.

Who Must Conduct TLPT?

DORA mandates TLPT for:

• Credit institutions identified as Global Systemically Important Institutions (G-SIIs)
• Electronic money institutions exceeding EUR 150 billion in payment transactions
• Central securities depositories and central counterparties
• Trading venues with the highest national market share
• Insurance and reinsurance undertakings meeting specific thresholds

The Three Phases of TLPT

1. Preparation Phase

Engage a qualified threat intelligence provider and red team. Define scope with your competent authority. Establish a control team (typically 2–3 people who know the test is happening).

2. Testing Phase

The threat intelligence team produces a targeted threat intelligence report identifying realistic attack scenarios. The red team then executes these scenarios against live systems over a period of typically 10–12 weeks, without the knowledge of your security operations centre.

3. Closure Phase

Findings are compiled into a red team report. A purple team exercise follows, where red team and blue team collaborate to understand vulnerabilities and develop remediation plans. Results are shared with the competent authority.

Key Requirements for Red Team Providers

• Must be external (internal red teams cannot lead TLPT)
• Must hold relevant certifications (CREST, CBEST, or equivalent)
• Must carry professional indemnity insurance
• Must demonstrate experience in threat-led testing for financial services

Getting Started

If your institution is identified for TLPT, start planning now. The preparation phase alone typically takes 2–3 months, and qualified red team providers are in high demand.